KeePassXC risk analysis based setup on fedora-30

Goal: If a new security vulnerability is found in KeePassXC(eg. 0-day), I would like to ensure the fastest possible update, risking the possibility of not being able to use the application.

By updating from an unstable repository, this can, of course, also introduce vulnerabilities, that has just not been detected yet.

I have decided to rather patch known vulnerabilities, using software with potential unknown vulnerabilities, rather than having unpatched known vulnerabilities. That is basically my risk analysis.

Also, if the application fails and is unusable, it might still be better using “forgot password” features, than using a piece of known insecure software. Depends on who you are, and what level you are comfortable with. Every decision needs to be risk based and subjective to the risk taker.

So, lets solely, enable KeePassXC packages, getting updates from a more unstable branch. Put this in your fedora-30 /etc/yum.repos.d/fedora-updates-testing.repo end of first paragraph:

adding “includepkgs=keepassxc”

This should be called the frog/rabbit method, since we are litterally jumping ahead of ourselves, just as the remark from Quentin Tarantino in “Four Rooms” movie, states.

And I need ALL testing packages, that actually works, ending up in stable. That’s a premise.

UPDATE: As Samuel Sieb described, it is important to have “–disableexcludes” on the commandline, every time you need to update a package from the testing repository. I just experienced, I could not update the 0-day emergency patch from mozilla to firefox, due to this.

SOLUTION: [user@fedora-30 yum.repos.d]$ sudo dnf upgrade –enablerepo=updates-testing –disableexcludes=updates-testing –advisory=FEDORA-2020-2713adc57f

KeepassXC 2.4.2 on fedora-30

UPDATE: 2.4.2 is in stable now, so this post is not needed anymore…

When QubesOS announced that fedora-30 now is supported by Qubes-OS, I went for it straight away and upgraded my fedora-29 template. All went smooth.

My fedora-web-plugin, told me that my keepassxc was outdated and I needed to download a newer version:

So, checking the versions in fedora showed that fedora-30 is not up to date, unlike fedora-31, so I needed to do an upgrade in testing. Testing was in “3 karma”, whatever that means, but it seemed to be tested fine, just not pushed to stable repository yet. :

So, instead of just downloading the package from and miss any updates coming in the future, I decided to install from testing repository, and hope that the package will be sent to stable in the near future. I accept the risk that seems to be close non-existing, compared to trusting the stable/testing repo:

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-99e252df7a
Do this in your qubes template, if the above install and usage of the app is successful. If you’re paranoid, you can test in a small appvm with network capture on, etc. 🙂

The above shows success and the version is as follows on fedora-30:

Enjoy your 2.4.2

And by the way, I actually got appreciation for my patreon support :). Please support it

Less than 10 days later we had the same issue, so contemplating on how it is possible to have 1 package using the “updates-testing” repository and the rest run stable (without having the below running in a cron job)

sudo dnf upgrade --enablerepo=updates-testing keepassxc

Windows 10 on Qubes OS 4.0

Sharing my experiences, installing Windows 10 Enterprise on Qubes 4.0, maybe spiced up with the infamous QWT(Qubes Windows Tools installation(Spoiler alert: NOT Working!).

Following this guide, I will try to describe the issues I’ve been encountering accompanied with screenshots. The big issue is getting the Qubes Windows tools to install properly. All my installations have failed, so even though Invisible Things Lab has worked on QWT tirelessly for years, corporate clients, understandably, is more important than a few backers and the community. The backers are apparently not contributing enough, although I might believe that backer numbers would go through the roof, if the tools would work, flawlessly on windows 10. If you want to contribute to Qubes OS, please donate either once or continuously here. And if you have the skills and tools to make QWT v., then please create an indiegogo(or similar) crowdfunding campaign. I’m sure it will be backed.

But, let’s go and take som challenges. The first one is that fedora doesn’t support exFAT (crazy as it sounds, and I wrote about this before here), and debian does. That means I have to use a debian appVM to share the ISO file to the new Windows 10 VM. unless, there is another way.

mounting usb with my debian
We begin with creating the VM and starting it with the ISO attached
Here is via the qubes manager, browsing to the usb iso, in the VM settings tab. Actually the “block device” option seems neat, too. Very neat, indeed.
It takes quite a while to get this screen, depending on the circumstances of hardware and drivers. Be patient…
Goes without saying
Select here what your license key matches or continue with your favorite flavor if on a company network with a KMS setup.
Don’t use pirated software. It’s highly likely to be infected with malware.
Fresh install is #2
Select the disc you have created at first
Wait for the copy of windows install files
Almost there…
After reboot, the install continues.
As a danish person, using a completely messed up laptop, keyboardwise, I need more than 1 keyboard layout)
And the magic continues
and continues
Change the video and timeout settings, before booting again.
If not using a cloud account(who would want that?, type in stuff, that does not exist, to get the other option
Click on “set up Windows with a local account”
Type a password
and confirm it
Annoying waste of time.
answer annoying questions
do it again
and why can’t you select “none” ?
I need to craete an unattended install.
Enough with the annoyances, already
Now, thing look promising
tadaaa, now we have a bare system with no updates and no QWT. Shut down and clone.
Install updates and activate windows! I had to download some updates manually and choose troubleshoot updates, since errors occurred. I really admire Microsoft on the troubles of updating their systems. I bet, with the Microsoft “contribution” to open source, the problems will start emerging in the linux community over time, also.
always adjust for performance on VM’s. Recommended settings are here
pagefile adjustments per instructions.
After installing all updates, reboot and clone the machine. Then we will be ready for Qubes Crash Tools for Windows.

So, due to the crash of windows 10 after installation of Qubes Windows Tools, it is recommended that you use freerdp, rdesktop or similar to connect to your Windows system, being able to copy/paste clipboard and files, etc. This is a workaround to use clipboard and filesharing, still.

Start the Windows appVM with the QWT for installation.
Doubleclick on it…
Accept the license
Allow chang
Everything but the troublesome selections are to be installed. That is the default settin
The install also demands the install of .NET framework.
The setup requires a restart, and after a restart everything works for a brief moment until next restart.

When the restart is performed, Qubes does a bunch of things, such as moving the user directory from C: to the newly created private drive of 2GB(E:). That fails horribly, btw:

So after installing qubes tools, the system won’t boot. Just like :

Hopefully QWT will be released at some point.

Enabling a bare minimum of WordPress Security

Running a CMS on any website can be cumbersome, constantly checking for updates, manually updating and securing the configuration, if it’s not secure-by-default. A big help is the auto-updating feature of WordPress and the plugins helping administering this. Also the security plugins, minimizing bot attacks and evil doers is also comforting and needed in a hostile environment, such as the internet.

Disabling comments and creation of users is recommended, if not needed. Exploits has been seen that elevates privileges.

So my recommendation is to follow these steps as a bare minimum:

Plugins to install and configure:

404 To Homepage

Disable XML-RPC

Easy Updates Manager


Force Strong Hashing

Limit Login attempts Reloaded

Meta Generator and Version Info Remover

Wordfence Security

WP Statistics

UpdraftPlus(if you need backup, due to your host providers lack thereof)

Use WPScan and Nikto2 from a kali VM, regularly, to test your website for vulnerabilites, misconfiguration, etc. Follow the recommendations and secure your website as much as you feel adequate. removing obvious readme files, using .htaccess, etc.

Qubes OS – Joanna leaving the project, Marek taking the lead

For quite some time, actually since the announcement of Qubes Air, it seemed like Qubes OS has been in a bit of a standstill, strategically.

One of the most important projects in the world, security-wise, is now facing the unknown. Joanna has found other, more interesting grounds, for her to pursue.

It might be a great day or a sad day. Now Marek is taking over, it will be interesting to see if a guy who works a lot already, can take on yet another hat. Will strategic partnerships, fundraising, etc. drown in a developer tunnel-vision mindset?

Hope not. Please DONATE! to ensure vision and development.

CISSP study course

If security has any interest and you live in the United States, the CISSP course is a worthy Human Resource stamp on broad IT understanding & Security. Unfortunately, Europe doesn’t have an equivalent course focusing more on European legislation such as the GDPR as opposed to major focus on American legislation and regulations, such as HIPAA, COPPA, Privacy and Fraud related material.

I took a course 12 years ago, but was too inexperienced to pass the exam back then. I decided that now, more experienced in the security domains and wiser ;), was the time to push through and get the certification, so I bought a few books, and studied hard, taking a week off work cramming, provisionally passing the exam, giving them 6 weeks to check up on my endorsements, etc.

I purchased the following books:

  • (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8e & CISSP Official (ISC)2 Practice Tests, 2e
  • Official (ISC)2 Guide to the CISSP CBK, Fourth Edition
  • CISSP For Dummies

The CBK, I bought to use as a reference manual after advice from a colleague.

The dummies book lacked a few things, so after a few chapters and some answers to questions in a prep test, not present in the book (regarding security models), I decided to solely focus on the official study guide. I did look up stuff I didn’t understand properly in the Official Study Guide, to see if it was explained better in the Dummies.

Happy studying, if you think it’s worth a shot. No matter what, it’s a great way to catch up on stuff you don’t work on on a daily basis.

And when completing the exam, a great way to get CPE credits for your program is to connect ISC2’s brighttalk channel to your CISSP ID , and all the ISC2 webinars you watch, will automatically be registered.  See support article here

Next step in privacy is NextCloud – Have your cloud@Home

in action

I have never felt comfortable with having my phone pictures in the cloud and preferring only Dropbox(supporting Linux properly), since Google retired picasa and Apple only really worth while if you ONLY use apple products despite what fanboys might say, I decided to avoid vendor lock-in. I have exchanged my iMac and MacBook with Lenovo Yoga 2 Pro(Qubes 3.2) and a Purism Librem 13v2(Qubes 4.0).

I want my data to be @home, without being accessible from the internet. No unnecessary risks of breaches, if avoidable and no access from a giant attack vector(The whole internet if it is in the public cloud). Private cloud it is. And NextCloud seems to be best of breed.

I tried to buy a NextCloud Box, but all sold out in Europe and I was too tired to buy in the US, again.

Bought a CubieTruck and enjoyed the easy install of NextCloud, easy updating automatically, easy setting up the iPhone part, etc.)

Not a usual guide, but a simple heartfelt recommend from here. Try it out. You won’t regret it.

Whonix-14 available in Qubes-OS

As advertised in qubes-users mailing list, the templates of whonix version 14 is now available and flawlessly installed on my Qubes 4.0, without much effort.

I had no issues, so after deleting all existing whonix templates and AppVM‘s, the steps to follow were:

sudo dnf remove qubes-template-whonix-ws

sudo dnf remove qubes-template-whonix-gw

sudo qubesctl state.sls qvm.anon-whonix

sudo qubesctl state.sls qvm.whonix-ws-dvm

And then use Chris Laprise’s script to update them:

./qubes4-multi-update whonix-gw-14 whonix-ws-14

I rarely use whonix, but nonetheless, I encourage anyone using it for good, to donate, supporting the project.

Adding a newer AppVM template to the Disposable VM on Qubes 4.0

After installing Qubes 4.0, I’ve not actually used disposable vm’s as much as I should, but after Micah Lee showed me the Thunderbird plugin, I had to make a newer disp-vm template, than the old fedora-26 without libreoffice. Can’t open word documents without it, I’m afraid.

In Dom0:

qvm-prefs –set <AppVM to use as template> template_for_dispvms True

I have a personal-28 template to use for newer stuff, so that’s what I will use instead.

See the “Default DispVM “is changed from fedora-26 to Personal-28.